FTC Gives HTC a Good Shaking Over Bungled Security

The Federal Trade Commission last week reached a settlement with HTC America over charges the company failed to take reasonable steps to secure the software in its smartphones and tablet computers.

The security flaws could have compromised the privacy of millions of consumers, the agency said.

This is the FTC's first case against a mobile device manufacturer.

The settlement calls for the company to patch the vulnerabilities and indeed, HTC and its network partners have already deployed many security patches to consumers' devices. The settlement also calls for HTC to establish a comprehensive security program and to undergo independent security assessments every other year for the next 20 years.

Finally, the settlement prohibits HTC America from making false or misleading statements about the security and privacy of consumers' data on its devices.

Multiple Flaws

The FTC identified an assortment of vulnerabilities that HTC either introduced or failed to address.

Among those introduced were a number of "permission re-delegation" vulnerabilities in its custom, preinstalled applications. For example, under the Android operating system's security framework, a third-party application must receive the user's permission to access the device's microphone.

However, HTC preinstalled a custom voice recorder application that could be exploited to allow third-party access to the device's microphone, the FTC charged. An attacker -- or a third-party app operating without permission --
could exploit the flaw by surreptitiously recording phone conversations or tracking a user's physical location.

The vulnerability also left consumers open to "toll fraud" -- that is, the practice of sending text messages to premium numbers in order to charge fees to the user's phone bill.

Beginning in 2009, HTC began embedding IQ diagnostics software on Android-based mobile devices and Windows Mobile-based devices at the direction of network operators Sprint and AT&T. The carriers were using Carrier IQ to collect a variety of information.

"In order to embed the Carrier IQ software on its mobile devices, HTC developed a 'CIQ Interface' that would pass the necessary information to the Carrier IQ software," the FTC complaint states.

"The information collected by the Carrier IQ software was supposed to have been accessible only to the network operators, but because HTC used an insecure communications mechanism, any third-party application on the user's device that could connect to the internet could exploit the vulnerability to communicate with the CIQ Interface ...," it notes.

Sending a Message

The FTC came down hard on HTC because it completely ignored blatant security violations after being notified of them, Lamar Bailey, director of security research and development for
nCircle, told the E-Commerce Times.

"The FTC clearly chose to make an example of HTC to send a message to the industry; they want to make sure hardware and software vendors realize they need to take security and privacy far more seriously," he said.

Unfortunately for consumers, it's all too common for hardware resellers to overlook security when customizing software. Bailey continued.

"Generally, they have no business processes in place to respond to security concerns so they just ignore them," he pointed out. "These companies generally hire software developers that aren't trained in application security, so it's not surprising that security is neglected during the development process."

Agency Overreach?

That said, the fact that the FTC is directing mobile device developers in how to build their products is a bit worrisome, said Amy Purcell, an attorney with
Fox Rothschild.

The FTC is instructing HTC America about how to build its products, she told the E-Commerce Times.

The HTC settlement serves as yet another example of the FTC stepping in to create data security standards in the absence of legislation, said Purcell, and essentially using its enforcement actions to informally create laws.